On Fri, 22 Apr 2022 11:16:42 +0200, Philip Hands <p...@hands.com> wrote: >I understand the urge to insist upon absolute DFSG purity in the media >we produce, but when it comes to wanting to avoid every last shred of >data that we could not regenerate ourselves, I think we crossed that >line some time ago. > >I'm thinking of shim-signed, which is included in our official media. > >Despite being free software in source form, it is signed by Microsoft, >and can only be expected to work with that signature ... which we cannot >create. > >On most (all?) hardware one is able to avoid UEFI secure-boot, so won't >need to use shim-signed, but I'd imagine that some hardware insists on >secure-boot, or the opt-outs are somehow broken and so is not usable >without shim-signed.
Excuse me for asking a user question on -devel, but do we have any docs where someone explains how much a security trade off is shim-signed relativ to the optimum? I think that using shim-signed is surely worse than a directly signed kernel, but I don't know whether I can tell my system (or shim-signed?) to accept MY or Debian's signed kernel without the Microsoft intermediate signature, and whether this is any more secure than running an encrypted system without secure boot at all. Do we have docs for that? >Is the presence of shim-signed on the install media enough to make >people feel somehow contaminated? I think so, yes. Personally, I don't care too much but i can understand why some people might. >If not, is the problem having other blobs of data on the media that we >also cannot generate, or is it the licensing of that data, or something >else? We can compile shim-signed and compare the signed code with our own object code, can't we? That we we would only have to worry about the validity and benignness of the signature and not worry about having undocumented functionality in the signed code. >If it ensures that fewer people abandon Debian out of frustration with >the install then I'd suggest that it will actually result in less >non-free software being used overall, as will having the option to >enable only non-free-firmware without also enabling non-free. Those are the people who use Ubuntu without even trying Debian because somebody told them that Debian is SO hard to install. Greetings Marc -- -------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
